NAME¶

pscan - Format string security checker for C source code

SYNOPSIS¶

pscan [options]

DESCRIPTION¶

pscan is a source code analysis tool which is designed to highlight potentially dangerous uses of variadic functions such as "printf", "syslog", etc. The scan works by looking for a one of a list of problem functions, and applying the following rule:

IF the last parameter of the function is the format string, AND the format string is NOT a static string, THEN complain.

LIMITATIONS¶

The code will not report on some potention buffer overflows, because that is not its goal. For example the following code is potential dangerous:

sprintf(static_buffer, %s/.foorc", getenv("HOME"));"

This code could cause an issue as there is no immediately obvious bounds checking. However this is a safe usages with regards to format strings.

RETURN VALUES¶

If there are any errors found, pscan exits with status 1.

AUTHOR¶

Alan DeKok <aland@ox.org>

Source file:	pscan.1.en.gz (from pscan 1.2-9+b2)
Source last updated:	2008-07-25T23:10:01Z
Converted to HTML:	2021-03-28T09:40:05Z